Security expert warns fire department lockboxes can be hacked

February 28, 2013|By Jim Finkle | Reuters

SAN FRANCISCO (Reuters) - A security expert warned that criminals can gain access to locked businesses and apartments across the United States by reproducing the master keys now issued only to firefighters during emergencies.

The expert said he identified a flaw in the heavy metal boxes made by an Arizona-based company called Knox Co, now commonly found outside millions of apartment complexes and commercial properties in cities across the country, including Chicago, Atlanta and San Francisco.

These so-called "Knox Boxes" contain keys to apartments and other spaces, which in turn only firefighters issued a master key can open. Knox told Reuters on Friday it was unaware of any security flaws in its products, but will investigate research presented at the RSA conference in San Francisco this week.

Justin Clarke, a researcher with cyber security firm Cylance Inc, said he created a key capable of opening a Knox Box after buying one from the company's website for about $300 and blank keys on eBay for about $2 each, all of which were mailed to his home.

Because Knox issues one standard master key to firefighters in each city, a single hack - or reproduced key - can, in theory, give criminals access to every box installed within that particular city. Some federal government facilities overseas have Knox Boxes placed outside of them.

Dohn Trempala, an engineer with Phoenix-based Knox, told Reuters he found it hard to believe that Clarke had succeeded in fabricating a Knox Box key, noting that similar claims in the past have turned out to be false.

"I'm not saying that somebody can't eventually make one, but I haven't seen it yet," Trempala said.

He said the government was also looking into the matter.

"The Feds are already working on it," he said, but would not elaborate. Officials with the FBI and Department of Homeland Security declined comment.

METHOD

During his presentation at the conference, Clarke described how he created the Knox Box key in about four hours using the purchased box and a $30 metal file.

Clarke said he removed the core of a Knox Box lock with a socket wrench, pulled out the pins, replaced them, measured the grooves, then carved out a key with the file. He subsequently confirmed the key worked by testing it on a locked Knox Box in his own laboratory.

"A highly motivated criminal with plenty of time on their hands and incredible focus could do this. All it takes is time, focus and intent," said Clarke, whose full-time job is finding security bugs in computer networks, not mechanical devices.

Marc Weber Tobias, a well-regarded expert on lock security who reviewed Clarke's research, said he believed Clarke's hack could be replicated.

"What he did is not technical. It's not sophisticated," Tobias said. "It's good research. He alerted everybody to a vulnerability."

Tobias suggested that Knox can prevent criminals from using Clarke's technique to fabricate keys by changing the way it distributes its products. Knox now ships unlocked boxes to users; customers must call their local fire department to have the devices locked up.

Tobias said Knox should ship boxes to customers without locks, then deliver the locks directly to local fire departments, who would be responsible for installing the locks, as well as turning the key.

That would prevent criminals from replicating the technique Clarke described, he said.